Digital Signature: Can I get one?

What is a Signature?

A signature (/ˈsɪɡnətʃər/; from Latin: signare, “to sign”) is, in traditional meaning, a handwritten (and often stylized) depiction of someone’s name, nickname, or even a simple “X” or other mark that a person writes on documents as a proof of identity and intent. The writer of a signature is a signatory or signer. Similar to a handwritten signature, a signature work describes the work as readily identifying its creator. A signature may be confused with an autograph, which is chiefly an artistic signature. The modern meaning of signature includes wet signature, scanned signature, digitized signature, biometric signature, id/password, click/tap signature, electronic signature and digital signature. 

  1. Wet Signature: Refers to someone placing a physical signature or distinct mark on a hard copy of a document with a pen or seal. 
  2. Scanned Signature: Refers to someone placing a wet signature on a hard copy of a document and sending it over to another person by digitally scanning it. 
  3. Digitized Signature: Refers to someone pasting a image file of signature on a document as an act of signing it. 
  4. Biometric Signature: The unique pattern of a bodily feature such as the retina, iris, or voice, encoded on an identity card and used for recognition and identification purposes. 
  5. ID/Password: The user name, id and password is a means by which a person is identified to a computer system or network. 
  6. Click/tap Signature: The user who has an authorized entry to the digital platform may be presented with a click/tap to sign feature by establishing that the signer actually intend to sign a contract.
  7. Electronic Signature: Electronic Signature is similar to Digital Signature but the digital identity of the signor is not authorized and regulated by certification authorities. 
  8. Digital Signature: Digital signature is an electronic signature that is authorized and regulated by certification authorities. 

A question famously asked: Is scanned or digitized signature legally binding? 
Yes it is legally binding. A simple mark X on the placeholder may make a person liable to be held in court. But with scanned or digitized signature, the obvious risk is that typed signatures, email footers and scanned signatures can so easily be copied or forged that it cannot be long before a serious financial dispute arises in which one party alleges that the ‘signature’ was not applied by them, or that the document was altered after being signed… There is massive scope for dispute even if the forgery is proven, as both parties are likely to have acted in reliance on the forged agreement. Its all about the mutual trust and corroborating evidences. 

Digital Signature

In Nepal, Electronic Transaction Act 2006 (2063), and Electronic Transaction Rules 2007 (2064) governs the regulations relating to Digital Signatures. 
Here is an excellent summary of digital signature by Lisk Academy. 

Some Key Concepts of Digital Signature

  1. Root Certifying Authority
    RCA is the Root Certifying Authority of Nepal. It was established by ETA and is responsible for digitally signing the public keys of all the licensed CAs in the country. The RCA root certificate is the highest level of certification in the country. The RCA root certificate is a self-signed certificate. The key activities of the RCA include:
    a) Digitally signing licenses issued by OCC to CA
    b) Digitally signing public keys corresponding to private keys of a CA
    c) Ensuring availability of these signed certificates for verification by a Relying Party through the OCC website Repository
  2. Certificate Practice Statement 

    The Certificate Practice Statement (CPS) is a statement of the practices that a Certification Authority (CA) employs for issuing and managing certificates. A CPS may take the form of a declaration by the CA of the details of its system’s trustworthiness and the practices that it employs both in its operations and in its support of the issuance of a certificate.

  3. Certificate Policy

    Certifying Authorities issue Digital Signature Certificates that are appropriate for specific purposes or applications. A Certificate Policy (CP) describes the different classes of certificates issued by the CA, the procedures governing their issuance and revocation and terms of use of such certificates, besides information regarding the rules governing the different uses of these certificates.

  4. Subscriber Agreement

    A Subscriber Agreement is an agreement between Subscriber and Certifying Authority stating that the subscriber will use the Digital Signature Certificate for the assigned use or objective and that the subscriber is solely responsible for the protection of the private key and ensuring functionality of the unique key pair. The subscriber also agrees through the Subscriber Agreement that all the information provided to CA at the time of registration is accurate. In the event of any change in information, the subscriber is obliged to immediately inform CA. CA is not responsible for any legal disputes arising due to misrepresentation on the part of the subscriber. 

  5. National Repository of Digital Signature Certificates

    In accordance with the Electronic Transaction Act, NRDC is a national repository maintained by the OCC that contains all Digital Signature Certificates and CRLs issued by all the licensed CAs. It also contains all the Digital Signature Certificates and CRLs issued by the OCC through its RCA. All Relying Parties are allowed to verify the authenticity of a CA’s public keys from this repository.

  6. Certificate Revocation List
    The Certificate Revocation List (CRL) is a list of certificates that have been revoked by the CA, and are therefore no longer valid.
  7. Controller of Certifying Authorities

    The Controller of Certifying Authorities (OCC) is a Government of Nepal undertaking that license and regulate the working of Certifying Authorities. The OCC certifies the public keys of CAs, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose, OCC operates, the Root Certifying Authority of Nepal (RCA). The OCC also maintains the National Repository of Digital Signature Certificate (NRDC), which contains all the certificates issued by all the CAs in the country.

  8. Certifying Authority
    A Certifying Authority is a trusted agency whose central responsibility is to issue, revoke, renew and provide directories for Digital Signature Certificates. According to Electronic Transaction Act 2063, “Certifying Authority” means a person who has been granted a license to issue Digital Signature Certificates. The Electronic Transaction Act 2063 details the prerequisites of a CA. Accordingly, a prospective CA has to establish the required infrastructure, get it audited by the auditors appointed by the office of Controller of Certifying Authorities. After complete compliance of all requirements, a license to operate as a Certifying Authority can be obtained. The license is issued by the Controller of Certifying Authorities, Ministry of Science and Technology, Government of Nepal. 
    Radiant InfoTech Nepal Pvt. Ltd. is an approved certifying authority of Nepal.  
  9. Registration Authority

    RA (Registration Authority) is an agent of the Certifying Authority who collects the application forms and related documents for Digital Signature Certificates, verifies the information submitted and approves or rejects the application based on the results of the verification process.

  10. Digital Signature Certificate
    A Digital Signature Certificate is a certificate issued by a Certifying Authority to a Digital Signature Subscriber. It is usually provided along with the token device or it can be obtained in hardcopy as well from the Certifying Authority. A Digital Signature Certificate explicitly associates the identity of an individual/device with a pair of electronic keys – public and private keys – and this association is endorsed by the CA. The certificate contains information about a user’s identity (for example, their name, pin code, country, email address, the date the certificate was issued and the name of the Certifying Authority that issued it). These keys complement each other in that one does not function in the absence of the other. They are used by browsers and servers to encrypt and decrypt information regarding the identity of the certificate user during information exchange processes.
  11. Token Device
    Token Device is a security device where the private key of the subscriber is stored. It is usually protected by additional security protocol such as id/password of the subscriber or one-time-password system. 
  12. Private Key
    The private key is stored on the user’s computer hard disk or on an external device such as a token. The user retains control of the private key; it can only be used with the issued password.
  13. Public Key 
    The public key is disseminated with the encrypted information. It can also be obtained from a publicly accessible place. 
  14. Asymmetric Key Cryptography
    With asymmetric key cryptography, there is a pair of mathematically related keys. If you encrypt message with one of the keys then then other key and only the other key can be used to decrypt it. 

Get your very own Digital Signature

Nothing kills the momentum of a business transaction like paperwork. Leaving your work desk for signing a document, courier it to your client, receive it back after signing and making changes in case of any amendment, that takes a lot of time and administrative hassle. The use of digital signature will help minimize such inefficient administrative work. So let’s get your very own digital signature already: 

Step 1: Choose what type of certificate you want to obtain. This can be Signature Certificate, Encryption Certificate, Device/System Certificate, SSL Server Certificate, Code Signing Certificate, Document Signer Certificate. 
Step 2: Choose what class of certificate you want to obtain. Depending upon your security needs this may be of various level, negative assurance, positive assurance, absolute assurance etc. 
Step 3: Go to Certifying Authority and provide your details to the Registration Authority. Typically, application letter, annual fees (Ref: Starting at NRS 3k for Signature Certificate), token device fees, basic introduction details etc needs to be submitted. 
Step 4: Get your Digital Signature Certificate and Token Device. 

Use your Digital Signature, that easy | Better let's understand how digital signature work

Digital certificates can be of various types and their uses are also varied. Like stated above, this can be Signature Certificate, Encryption Certificate, Device/System Certificate, SSL Server Certificate, Code Signing Certificate, Document Signer Certificate.

Let’s focus on how Signature Certificate works on unencrypted message for the sake of simplicity in this example. 

Step 1: Get your very own Digital Signature (like discussed above)
Step 2: Prepare your document to be signed
Step 3: Use software like Adobe Reader (Proprietary) or Libre Office (Open GNU License) to sign your document with your digital signature. This maybe done through online platforms of document file readers where digital signature is supported. 
Step 4: You will find somewhere in the reader software to sign the document digitally. If you have inserted the token device at this point the computer will recognize the device otherwise you may need to locate your certificate to the software. 
Step 5: You may need to fill in your id/password to authorize the sign, depending upon the security protocol of the token device. During this process, your software will run your document through a hashing algorithm (e.g. Secured Hash Algorithm, Cryptographic Hash Function etc). The algorithm creates unique array of numbers and letters specific to the content of document, called a digest. The digest is then encrypted with your private key provided for use through your token device. This encrypt is called digital signature and it is embedded in your document file along with your public key. 
The hash algorithm is such that, even the smallest change in your document will result in entirely different digest and where the same document file is run through the hashing algorithm, this results in the same digest any number of time. 
Step 6: Save your digitally signed document and send it to the receiver. 
Step 7: The receiver will receive the document and within the document is the embedded public key of the sender. The receiver’s software will again run the document in the hashing algorithm used by the sender and will generate a digest A. Additionally, the receiver software will use the public key of the sender sent embedded along with the document or retrieved from public repository to decrypt the digest encrypted with sender’s private key which is send embedded with the document and will generate digest B. If the digest A is equal to digest B then it is verified that the document received is untampered and unaltered. 
Step 8: The receiver is confident that the document is okay A1 and everyone is happy. 

The above example is digitally signing and sending an unencrypted document. To digitally sign and send an encrypted document the sender will need the public key of the receiver to encrypt the file. This is a different process. There are many other concepts of digital certificate as well. Like SSL Certificate, Device/System Certificate. They all follow some slightly different encryption/signing mechanisms.